<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>HTML Application - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/html-application/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/html-application/feed.xml" rel="self" type="application/rss+xml"/><item><title>Script Execution via Microsoft HTML Application</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-script-execution-via-mshta/</link><pubDate>Wed, 03 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-script-execution-via-mshta/</guid><description>Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries by using rundll32.exe or mshta.exe to execute scripts via HTML applications.</description><content:encoded><![CDATA[<p>Attackers leverage Microsoft HTML Applications (HTA) to execute scripts in a trusted environment, often using <code>rundll32.exe</code> or <code>mshta.exe</code>, to evade defenses. This technique, observed in various campaigns since at least 2020, involves proxying malicious script execution through signed binaries, making detection challenging. The scope of this threat extends to any Windows environment where users can execute HTML applications. Defenders must monitor for suspicious command-line arguments and parent-child process relationships involving <code>mshta.exe</code> and <code>rundll32.exe</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The user downloads a malicious HTA file, often disguised as a legitimate document, from a phishing email or compromised website.</li>
<li>The user executes the downloaded HTA file, which triggers the execution of <code>mshta.exe</code>.</li>
<li><code>mshta.exe</code> interprets and executes the embedded script within the HTA file.</li>
<li>The script may contain obfuscated or encoded commands to evade detection.</li>
<li>The script utilizes techniques such as <code>GetObject</code>, <code>WScript.Shell</code>, or <code>RegWrite</code> to perform malicious actions.</li>
<li><code>mshta.exe</code> executes commands to download and execute additional payloads.</li>
<li>The downloaded payloads establish persistence, escalate privileges, and perform lateral movement.</li>
<li>The final objective includes data exfiltration, deploying ransomware, or establishing a persistent backdoor.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to complete system compromise, data theft, and ransomware deployment. Affected systems can be leveraged for further attacks within the network, impacting all connected devices. Victims may experience significant financial losses, reputational damage, and operational disruption. The broad scope of Windows environments makes this a widespread threat, particularly affecting organizations that rely on user-executed scripts and applications.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Monitor process execution for <code>rundll32.exe</code> and <code>mshta.exe</code> with command-line arguments containing suspicious script-related keywords using the Sigma rules provided.</li>
<li>Investigate instances of <code>mshta.exe</code> executing from common download locations such as the <code>Downloads</code> folder, as highlighted in the rule logic.</li>
<li>Implement application control policies to restrict the execution of unsigned or untrusted HTA files.</li>
<li>Audit and review parent-child process relationships involving <code>mshta.exe</code> and <code>rundll32.exe</code> to identify anomalous behavior.</li>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>defense-evasion</category><category>script-execution</category><category>mshta</category></item></channel></rss>